12.20.2010

An old but hugely overlooked issue. Many appliance vendors ship their units with a default private key for SSL communications. Even if you reissue a new certificate, your appliance could still be using the same private key as everyone else's.. and it's typically bundled within the firmware packages publicly distributed by the application vendor. This affects everything from DD-WRT to enterprise class VPN appliances, tape libraries, and firewalls.

Once the private key is obtained, you can decrypt the SSL stream with tshark:

tshark -nn -t ad -r -o ssl.keys_list:,443,http,"" -V -R http

Note: For successful decryption, the initial full SSL handshake must be present in the capture. A full SSL handshake contains ClientHello, ServerHello, Certificate, ServerHelloDone. If you only see ClientHello, ServerHello, ChangeCipherspec, this is a continuation of a previously established SSL session and cannot be decrypted as is.